[BUG] Security Analytics Findings page breaks after deletion of active Custom Detection Rule in OpenSearch

[rafaelma]

What is the bug?

Deleting a custom detection rule that has produced active findings and is part of an active detector results in a broken 'Security Analytics Findings' page within OpenSearch. Upon deletion of the rule, the Findings page fails to display any results and presents a blank area instead of the expected findings list.

How can one reproduce the bug?

Steps to reproduce the behavior:

1. Create a custom detection rule within the OpenSearch Dashboard.
2. Set up a detector and incorporate the created custom detection rule into its configuration.
3. Activate the detector.
4. Simulate conditions that would trigger the custom detection rule, thereby generating findings.
5. Verify that findings are visible and that the links 'Security Analytics' -> 'Findings' and 'Security Analytics' -> 'Recent findings' -> 'View all findings' operate as intended.
6. Delete the custom detection rule previously created.
7. Attempt to access findings via the 'Security Analytics' -> 'Findings' and 'Security Analytics' -> 'Recent findings' -> 'View all findings' links.

What is the expected behavior?

Upon deletion of the custom detection rule, the 'Findings' page should continue to display existing findings, retaining functionality for the user to view and manage other findings.

Actual Result: After the rule deletion, the 'Findings' page becomes inaccessible. Instead of displaying a list of findings, the page shows a blank side, and it becomes impossible to view any findings within the system.

Workaround: In order to regain access to the 'Findings' page after encountering this issue, the user must delete the entire detector that included the deleted custom detection rule.

What is your host/environment?

• OS: Red Hat Enterprise Linux release 9.4
• Version Opensearch 2.14
• Plugins

 # /usr/share/opensearch/bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-flow-framework
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-skills
opensearch-sql

Do you have any screenshots?

The main Security Analytics->Overview page shows this under "Recent Findings". The findings from the deleted custom detection rule have empty values in the Rule name and Rule severity columns.

The Findings page is just an empty page.

Do you have any additional context?

This bug suggests there may be a lack of graceful handling of rule deletions with associated findings. The expected behavior would involve retaining the integrity of the Findings Page and handling the absence of deleted rules without disrupting the overall findings management functionality. It's critical to ensure that the UI appropriately reflects the system's state, even when components such as detection rules are removed.

[dblock]

[Catch All Triage - 1, 2, 3]

[rafaelma]

Does this PR fix this bug? opensearch-project/security-analytics-dashboards-plugin#1160